dcrat | 8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Size

4.9MB
MD5

7c5669c1eb8e15de18ad5888920de3f7
SHA1

62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb
SHA256

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811
SHA512

791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8Z:R

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2144	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2312-3-0x000000001AC30000-0x000000001AD5E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1284	powershell.exe
1712	powershell.exe
2392	powershell.exe
1540	powershell.exe
944	powershell.exe
548	powershell.exe
2620	powershell.exe
1436	powershell.exe
3064	powershell.exe
1812	powershell.exe
1100	powershell.exe
1536	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	Process
1892	sppsvc.exe
1280	sppsvc.exe
2756	sppsvc.exe
1976	sppsvc.exe
1028	sppsvc.exe
1688	sppsvc.exe
1600	sppsvc.exe
688	sppsvc.exe
2608	sppsvc.exe
2908	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 4 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\6cb0b6c459d5d3	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXED65.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Drops file in Windows directory 8 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

description	ioc	Process
File created	C:\Windows\Help\sppsvc.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\Help\0a1fd5f707cd16	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\L2Schemas\RCXE13F.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\L2Schemas\sppsvc.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\Help\RCXE556.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\Help\sppsvc.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\L2Schemas\sppsvc.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\L2Schemas\0a1fd5f707cd16	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2236	schtasks.exe
580	schtasks.exe
1644	schtasks.exe
2792	schtasks.exe
1640	schtasks.exe
1780	schtasks.exe
2768	schtasks.exe
2908	schtasks.exe
1036	schtasks.exe
1880	schtasks.exe
2968	schtasks.exe
2136	schtasks.exe
2492	schtasks.exe
1476	schtasks.exe
2132	schtasks.exe
2852	schtasks.exe
2440	schtasks.exe
2960	schtasks.exe
1648	schtasks.exe
2892	schtasks.exe
1588	schtasks.exe
1092	schtasks.exe
2836	schtasks.exe
2696	schtasks.exe
2704	schtasks.exe
2404	schtasks.exe
340	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid	Process
1892	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	Process
2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2620	powershell.exe
1100	powershell.exe
548	powershell.exe
1436	powershell.exe
2392	powershell.exe
3064	powershell.exe
1284	powershell.exe
944	powershell.exe
1712	powershell.exe
1540	powershell.exe
1536	powershell.exe
1812	powershell.exe
1892	sppsvc.exe
1280	sppsvc.exe
2756	sppsvc.exe
1976	sppsvc.exe
1028	sppsvc.exe
1688	sppsvc.exe
1600	sppsvc.exe
688	sppsvc.exe
2608	sppsvc.exe
2908	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1892	sppsvc.exe
Token: SeDebugPrivilege	1280	sppsvc.exe
Token: SeDebugPrivilege	2756	sppsvc.exe
Token: SeDebugPrivilege	1976	sppsvc.exe
Token: SeDebugPrivilege	1028	sppsvc.exe
Token: SeDebugPrivilege	1688	sppsvc.exe
Token: SeDebugPrivilege	1600	sppsvc.exe
Token: SeDebugPrivilege	688	sppsvc.exe
Token: SeDebugPrivilege	2608	sppsvc.exe
Token: SeDebugPrivilege	2908	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.execmd.exesppsvc.exeWScript.exesppsvc.exe

description	pid	Process	procid_target
PID 2312 wrote to memory of 1100	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	59
PID 2312 wrote to memory of 1100	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	59
PID 2312 wrote to memory of 1100	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	59
PID 2312 wrote to memory of 944	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	60
PID 2312 wrote to memory of 944	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	60
PID 2312 wrote to memory of 944	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	60
PID 2312 wrote to memory of 1536	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	61
PID 2312 wrote to memory of 1536	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	61
PID 2312 wrote to memory of 1536	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	61
PID 2312 wrote to memory of 548	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	63
PID 2312 wrote to memory of 548	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	63
PID 2312 wrote to memory of 548	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	63
PID 2312 wrote to memory of 1812	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	65
PID 2312 wrote to memory of 1812	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	65
PID 2312 wrote to memory of 1812	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	65
PID 2312 wrote to memory of 1540	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	67
PID 2312 wrote to memory of 1540	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	67
PID 2312 wrote to memory of 1540	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	67
PID 2312 wrote to memory of 2620	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	68
PID 2312 wrote to memory of 2620	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	68
PID 2312 wrote to memory of 2620	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	68
PID 2312 wrote to memory of 1284	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	70
PID 2312 wrote to memory of 1284	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	70
PID 2312 wrote to memory of 1284	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	70
PID 2312 wrote to memory of 2392	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	71
PID 2312 wrote to memory of 2392	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	71
PID 2312 wrote to memory of 2392	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	71
PID 2312 wrote to memory of 3064	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	72
PID 2312 wrote to memory of 3064	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	72
PID 2312 wrote to memory of 3064	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	72
PID 2312 wrote to memory of 1712	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	74
PID 2312 wrote to memory of 1712	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	74
PID 2312 wrote to memory of 1712	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	74
PID 2312 wrote to memory of 1436	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	75
PID 2312 wrote to memory of 1436	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	75
PID 2312 wrote to memory of 1436	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	75
PID 2312 wrote to memory of 2372	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	83
PID 2312 wrote to memory of 2372	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	83
PID 2312 wrote to memory of 2372	2312	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	83
PID 2372 wrote to memory of 1440	2372	cmd.exe	85
PID 2372 wrote to memory of 1440	2372	cmd.exe	85
PID 2372 wrote to memory of 1440	2372	cmd.exe	85
PID 2372 wrote to memory of 1892	2372	cmd.exe	86
PID 2372 wrote to memory of 1892	2372	cmd.exe	86
PID 2372 wrote to memory of 1892	2372	cmd.exe	86
PID 2372 wrote to memory of 1892	2372	cmd.exe	86
PID 2372 wrote to memory of 1892	2372	cmd.exe	86
PID 1892 wrote to memory of 3052	1892	sppsvc.exe	87
PID 1892 wrote to memory of 3052	1892	sppsvc.exe	87
PID 1892 wrote to memory of 3052	1892	sppsvc.exe	87
PID 1892 wrote to memory of 1932	1892	sppsvc.exe	88
PID 1892 wrote to memory of 1932	1892	sppsvc.exe	88
PID 1892 wrote to memory of 1932	1892	sppsvc.exe	88
PID 3052 wrote to memory of 1280	3052	WScript.exe	89
PID 3052 wrote to memory of 1280	3052	WScript.exe	89
PID 3052 wrote to memory of 1280	3052	WScript.exe	89
PID 3052 wrote to memory of 1280	3052	WScript.exe	89
PID 3052 wrote to memory of 1280	3052	WScript.exe	89
PID 1280 wrote to memory of 1988	1280	sppsvc.exe	90
PID 1280 wrote to memory of 1988	1280	sppsvc.exe	90
PID 1280 wrote to memory of 1988	1280	sppsvc.exe	90
PID 1280 wrote to memory of 2800	1280	sppsvc.exe	91
PID 1280 wrote to memory of 2800	1280	sppsvc.exe	91
PID 1280 wrote to memory of 2800	1280	sppsvc.exe	91

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
"C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IUyQJ4qDvO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1440
- - C:\Windows\Help\sppsvc.exe
    "C:\Windows\Help\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdc93436-a712-44b9-bf48-7f5392a4fbaa.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6838fe38-5b59-41b2-a0e3-4ae74047b42e.vbs"
        6⤵
        
        PID:1988
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b343811-c213-40cd-b9e7-30290efd3c3b.vbs"
        8⤵
        
        PID:2636
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd3f9e97-675b-4f29-8207-cec84732fe1b.vbs"
        10⤵
        
        PID:988
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c33b6336-7d5a-449c-9533-f88902aba67d.vbs"
        12⤵
        
        PID:2320
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4079332-7df1-4717-955b-5d827b9887e7.vbs"
        14⤵
        
        PID:628
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731b6888-eb04-4945-a9a2-4e8b9a11496a.vbs"
        16⤵
        
        PID:2596
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bec2b924-acef-4bfa-a61b-ba6f8cf1c158.vbs"
        18⤵
        
        PID:2332
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5dfb6af-deb3-42ec-9c93-559f6426b813.vbs"
        20⤵
        
        PID:2088
        
        C:\Windows\Help\sppsvc.exe
        
        C:\Windows\Help\sppsvc.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b85eb44c-2d4d-4a51-bfb2-2ce6207b1c73.vbs"
        22⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cc34e3c-57cc-4ce5-b1c5-3bcedc8de491.vbs"
        22⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5309bcb0-8800-4ac5-85e9-f4ec93b8c858.vbs"
        20⤵
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9adbf0c0-5e8c-4907-bd8d-dfd723f23cc5.vbs"
        18⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\519e25b4-0cea-4d30-b586-a23b57fc87c9.vbs"
        16⤵
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2bc9156-76e3-4474-bb81-f71cd7a691a9.vbs"
        14⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1992181-6a0c-4286-a87e-63ce78f29a3c.vbs"
        12⤵
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95567782-4ea4-4a2f-975e-bb4265f1ca7c.vbs"
        10⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22dc1f7-27db-440f-bb24-aa9bb05804df.vbs"
        8⤵
        
        PID:2172
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7cffaf-0ffc-4e17-87ec-64c7b7b3fca2.vbs"
        6⤵
        
        PID:2800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95681726-6b47-4660-87e7-e0684a76ea1c.vbs"
      4⤵
      PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b343811-c213-40cd-b9e7-30290efd3c3b.vbs

Filesize
702B

MD5
21294e1a5b4abd87263934759f95dfe2

SHA1
1b57d6149460f5048ba32535da4bdaa787eae3c9

SHA256
8daa1edc3f0fc4f93c5b091a081d6a9c3e09dd13d3601e52c3ec3ac5545a712f

SHA512
cc2092fe09469ed51c3eb3624e046253c09045ba5d6f3c8335d481140cb3373658b013d1833c73f66d56d9e54145c8ed0d8cd30a981c549eeded9b3b22469ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6838fe38-5b59-41b2-a0e3-4ae74047b42e.vbs

Filesize
702B

MD5
3b274322731e84d93c845fa198bb5dc4

SHA1
fd515a24f757fa67b6a506d017696bc21e735155

SHA256
939b7df8bfa245b7c51ce20d56513fc53bfd0358cd5d3a6b5d036111a1057cc4

SHA512
cd3a9dc7245e57fb66c1948917edb3c78f4e3d3d280898f107ad445f1f491b39b06460dc55c12cbf4ae6ce7075ed49f5e4e5409b00a602fed6fcf4e2656033c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\731b6888-eb04-4945-a9a2-4e8b9a11496a.vbs

Filesize
702B

MD5
7fc49dff9e41d47adca47dee2e8afc5c

SHA1
2593272e8d7b866fbe8abc3264ce03ef72e3d0e4

SHA256
74a3262ce165f87c501d100bcc46c036448306b2ea34749240ccc104c8a8f7dd

SHA512
f1c9fed6b24f9ab1d894bc5c5011b1741df1fced832bb7a0f9134e98828e5dd674eda5453bf2113612037bc2167229280aa193d2d55c411a202b10d5b07be733

Download Submit
C:\Users\Admin\AppData\Local\Temp\95681726-6b47-4660-87e7-e0684a76ea1c.vbs

Filesize
478B

MD5
dae9672cbe139e4ec0bd8201a04bd8b0

SHA1
3f8bb74cbd8cfd42d203a86152df0afbb2a294d4

SHA256
9ecdb125d0e52f3e2c6dbcf20608aa016f8eb0e9972b8fe2abc754db73dc4b02

SHA512
ad05337d6695964281a623702d9df1a5745fe23cbb4827a55d0ff0933f8af074b0efa9d094de9c6d213350bb9d7c3873f83adf17712bb4295551d7035c732e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUyQJ4qDvO.bat

Filesize
191B

MD5
e1d89272f19c2b4137fd96cd5f9e74f6

SHA1
67ce6f9dcc0db62716ef0065c12f49e84555340f

SHA256
4b01a058c1a8e0a5d60cd44a055eb54a698bbf8865ad0716d5ac8144513235e9

SHA512
505454f581ad7f71f2a2209310957fa122e9bcab1e3892fadf134d3d72ce5aa2ea88a2c300b614326c8f3717c712e77d7ad519a6377e7c635e5cb050a2567f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5dfb6af-deb3-42ec-9c93-559f6426b813.vbs

Filesize
702B

MD5
bcfa353cc5cee0923118f6363226edbe

SHA1
697164c8f79c61e75e5c0e16a424757a4ab52382

SHA256
53277b0ac58160582ae1d89f58078aecdf332a768c16b21056170cd361de6850

SHA512
3bc1a08cd8daeda0d9c58afafb9af0d55a7d090b11c79e6edb5b8e586f51a21291cb135b4ed6b04d25d27bc4890488036481701a6fd89bfa489be0ee577267ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\b85eb44c-2d4d-4a51-bfb2-2ce6207b1c73.vbs

Filesize
702B

MD5
82e642214a4f7ee9cf29dac39d06d8f2

SHA1
b3a27614899faa89b776433eefee27bb098fa93f

SHA256
7636d6fe335da296f64bde2c3eea027b8354ea15fd19adb49fe6927ba42057a6

SHA512
ba25d83e0baa4ff24fcb792828d1d20c1f2328cf9fca098d28ac471137698178553bf7f36ded450768678e72154ad1a17307f5a54f9c85595a83f98cde55e76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd3f9e97-675b-4f29-8207-cec84732fe1b.vbs

Filesize
702B

MD5
c17af9c13b6a50abdd3b470581d506c9

SHA1
b14dca4e26e4e2452ad631db4d0d4c5ccb2030ba

SHA256
aa3df8cfd1d7594f790cd3db0bbea38ec2fc9edfaf8118fc221d3fa56f738ee3

SHA512
fd4750ef0d0993b3dcd4bbc82daee57a504ac469238e98715ce9cf54598a93bdc641665b8d527d46cdb5c983969a62869ec73d337132c3504951e80e23c11677

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdc93436-a712-44b9-bf48-7f5392a4fbaa.vbs

Filesize
702B

MD5
a34ee8ca089f510fcb2ec9b8e5928327

SHA1
fc8722da3ce4eb862b571effca6d321b6bc0810a

SHA256
fc3750205b27c09430ae1b0cc32d7c043e5582c77a282a8d3cf808ccb7e2c86d

SHA512
c5a7d6cbd7f2992e46f8e1b827ff0f83be2381ea5d2f5b1c3cd8dbef3ba0ec9957427fc0b5bb2ee3ea15c7fb79fef4806074b476f9b5ceec5d449e4ed14e8c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\bec2b924-acef-4bfa-a61b-ba6f8cf1c158.vbs

Filesize
701B

MD5
3734b6d19566e4c8b786bf59db33df9a

SHA1
c2c8e91ae583bc2ea5dfc49188d95741adf17a8f

SHA256
cf114e88e8361bda83cf3a66477f4d5718e34661a2dbefa3fb8fca95206b5fac

SHA512
075afedb7b6a0ec87f03995d22b8126ed2e21bb0a05ade1c3bb58df4210323414375618c16c0f187bc2685f69b01a345f17de79a7eb3eabd9145e9909e33874c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c33b6336-7d5a-449c-9533-f88902aba67d.vbs

Filesize
702B

MD5
8c6febe3b0d70d5eb254dd6d005d4060

SHA1
ed2f46d359924a6fc9349fbc6c6dfcabc35245a1

SHA256
5a4aead6f4e0ae0835825b59fc1b4dbdaebc1e8a68a59f43fb143b65d13ad35d

SHA512
3b0b777c6ca44ddebb8115d2e126ceb1712df296e9ab713065f92ae45e2135030175502ea22863704789c1bfed86329a94adea1976239f49b2d039792dc99f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4079332-7df1-4717-955b-5d827b9887e7.vbs

Filesize
702B

MD5
467c8aad08f9e9eb9d9aa7da1849f895

SHA1
702ec7a93a8f7a1335e700dea83b3fd689e139ca

SHA256
77417e2d31bf481455fea948fa89d79e96579ecef7681d5526057ffb2fdfab99

SHA512
fcf8c359c1f4392b91610a5af9f8ea354a07fa5d5cc86f9295cbe56594f7aa2499d94677e22ab9fafe646ee811d3757db882a8a6677ba357b9cf287530173683

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11BC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
08d9c10cd1b86d640b784aa9ece2a4ef

SHA1
af7b5b0d82f89b34af8e8961d2cdb620ba681eab

SHA256
dcc05f9353a4b4bc4a9c3531d508992d07d2178e1b6e16fcc1ecab9cfcb93e1c

SHA512
1b931d034f579907ff0c7783e12ddbb545ca18b1acb295224d692db06b0a34f374ce454f17e7a6181af0e0b6e2a6ab8060a16a857a69c4e044fe75b71aab71ee

Download Submit
C:\Windows\Help\sppsvc.exe

Filesize
4.9MB

MD5
7c5669c1eb8e15de18ad5888920de3f7

SHA1
62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb

SHA256
8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

SHA512
791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db

Download Submit
memory/1280-187-0x00000000003C0000-0x00000000008B4000-memory.dmp

Filesize
5.0MB

Download
memory/1280-188-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1892-173-0x0000000000E70000-0x0000000001364000-memory.dmp

Filesize
5.0MB

Download
memory/1976-218-0x00000000011B0000-0x00000000016A4000-memory.dmp

Filesize
5.0MB

Download
memory/2312-10-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2312-5-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2312-1-0x0000000001220000-0x0000000001714000-memory.dmp

Filesize
5.0MB

Download
memory/2312-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-16-0x0000000001200000-0x000000000120C000-memory.dmp

Filesize
48KB

Download
memory/2312-15-0x00000000011F0000-0x00000000011F8000-memory.dmp

Filesize
32KB

Download
memory/2312-14-0x00000000011E0000-0x00000000011E8000-memory.dmp

Filesize
32KB

Download
memory/2312-13-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2312-12-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/2312-11-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2312-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/2312-3-0x000000001AC30000-0x000000001AD5E000-memory.dmp

Filesize
1.2MB

Download
memory/2312-9-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2312-8-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2312-7-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/2312-6-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2312-108-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-4-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/2620-139-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2620-138-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-203-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/2908-303-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download